CRITICAL🇵🇱 Wersja polska

CVE-2025-24172

CVSS 9.8v3.1pub. 2025-03-31upd. 2026-04-02

A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. "Block All Remote Content" may not apply for all mail previews.

🤖 AI Analysis
How it works

The issue results from incorrect permission configuration (CWE-276) in the Mail application's sandbox mechanism. When a user enables the "Block All Remote Content" option, intended to block loading of external resources (e.g., tracking images) when previewing messages, this restriction is not consistently applied in all preview display cases. Apple resolved the issue by introducing additional sandbox restrictions.

Impact

An attacker sending a crafted email message can bypass the remote content blocking setting, which may result in disclosure of the recipient's IP address, tracking of user activity, and potential exposure of data confidentiality. Depending on the loaded content, further attacks on system integrity and availability are possible.

Mitigation & patch

The system must be updated to the following versions: macOS Sequoia 15.4, macOS Sonoma 14.7.5, or macOS Ventura 13.7.5. Updates are available through the macOS Software Update mechanism and at the addresses provided in the vendor's references (support.apple.com).

Who is affected

Apple macOS Sequoia versions prior to 15.4, Apple macOS Sonoma versions prior to 14.7.5, Apple macOS Ventura versions prior to 13.7.5.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apple macOS

    OS
    Apple
    < 13.7.514.0 – 14.7.5 (bez)15.0 – 15.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-31201CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach

CVE-2025-31200CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple — memory corruption (RCE) w przetwarzaniu strumieni audio

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki